Tuesday, June 24, 2025

Virtual Cloud Network - Networking Constructs

 


Simple Architecture:




Oracle Cloud Infrastructure (OCI) – VCN Networking Constructs

In Oracle Cloud Infrastructure (OCI), a VCN (Virtual Cloud Network) is the foundational networking component that allows you to securely connect and isolate cloud resources like compute instances, databases, and load balancers.

What is a VCN in OCI?

A VCN (Virtual Cloud Network) is a software-defined private network that closely resembles a traditional on-premises network, including subnets, route tables, gateways, and firewall rules. It is region-specific and highly configurable.







Example Architecture:




OCI’s Virtual Cloud Network (VCN) allows you to build isolated, secure, and highly configurable networks in the cloud. Below are the key constructs used in OCI VCNs:

1. VCN (Virtual Cloud Network)

  • A customizable, private network in a specific OCI region.

  • CIDR block range: /16 to /30, e.g., 10.0.0.0/16.

  • Supports multiple subnets and regional architecture.

2. Subnets

  • Regional (not tied to availability domains).

  • Two types:

    • Public Subnet: Associated with Internet Gateway; resources can be publicly accessible.

    • Private Subnet: No internet access; used for internal workloads.

3. Route Tables

  • Define how traffic is routed from the subnet.

  • Each subnet is associated with a single route table.

  • Common targets:

    • Internet Gateway for public access

    • NAT Gateway for outbound access from private subnets

    • Service Gateway for OCI services (e.g., Object Storage)

    • Dynamic Routing Gateway (DRG) for on-premises or remote VCN connectivity

4. Internet Gateway (IG)

  • Enables outbound and inbound internet traffic for public subnets.

  • Must be added to the route table for use.

5. NAT Gateway

  • Allows private subnet instances to access the internet for outbound-only communication.

  • Keeps the resources not directly reachable from the internet.

6. Service Gateway

  • Allows private subnets to access OCI services (like Object Storage) without using the internet.

  • Traffic stays within the OCI network backbone.

7. Dynamic Routing Gateway (DRG)

  • Connects a VCN with:

    • On-premises network over IPSec VPN

    • FastConnect (dedicated private connection)

    • Other VCNs (remote peering)

  • Essential for hybrid and multi-region cloud setups.

8. Local and Remote Peering

  • Local Peering: Connects two VCNs within the same region.

  • Remote Peering: Connects VCNs across regions via DRG and RPC (Remote Peering Connection).

9. Security Lists

  • Stateless or stateful firewall rules applied at the subnet level.

  • Specify source/destination CIDRs, protocols, and ports.

  • Less granular than NSGs.

10. Network Security Groups (NSGs)

  • Apply firewall rules to individual resources (like compute instances or load balancers).

  • Allow resource-level access control.

  • Preferred over security lists for more precise configurations.

11. Public IPs

  • Two types:

    • Ephemeral: Temporary, attached at instance launch.

    • Reserved: Static and can be attached/detached from resources.

Example: Simple OCI VCN Setup

Components:

  • VCN: 10.0.0.0/16

  • Public Subnet: 10.0.0.0/24 with IGW

  • Private Subnet: 10.0.1.0/24 with NAT Gateway

  • Internet Gateway

  • NAT Gateway

  • Route Tables (2): One for public, one for private subnet

  • Security Lists or NSGs to control access

  • Service Gateway for private access to OCI services

 Terraform Snippet (Example)


resource "oci_core_virtual_network" "vcn" {
  cidr_block = "10.0.0.0/16"
  compartment_id = var.compartment_id
  display_name = "my-vcn"
}

resource "oci_core_internet_gateway" "igw" {
  compartment_id = var.compartment_id
  display_name = "my-internet-gateway"
  vcn_id = oci_core_virtual_network.vcn.id
  is_enabled = true
}

Script to generate PNG image:

import matplotlib.pyplot as plt

import matplotlib.patches as patches


fig, ax = plt.subplots(figsize=(14, 10))

ax.set_xlim(0, 120)

ax.set_ylim(0, 110)

ax.axis('off')


# VCN

vcn = patches.Rectangle((5, 15), 90, 85, linewidth=2, edgecolor='blue', facecolor='lightblue')

ax.add_patch(vcn)

ax.text(50, 105, "VCN: 10.0.0.0/16", fontsize=14, ha='center', weight='bold')


# Public Subnet

public_subnet = patches.Rectangle((10, 75), 35, 20, linewidth=1.5, edgecolor='green', facecolor='lightgreen')

ax.add_patch(public_subnet)

ax.text(27.5, 93, "Public Subnet\n10.0.0.0/24", ha='center', fontsize=10)


# Private Subnet

private_subnet = patches.Rectangle((55, 75), 35, 20, linewidth=1.5, edgecolor='orange', facecolor='moccasin')

ax.add_patch(private_subnet)

ax.text(72.5, 93, "Private Subnet\n10.0.1.0/24", ha='center', fontsize=10)


# Instances

ax.text(20, 85, "Web Server\n(Public IP)", fontsize=9, ha='center')

ax.plot(20, 82, marker='s', markersize=10, color='darkgreen')

ax.text(30, 85, "Bastion Host", fontsize=9, ha='center')

ax.plot(30, 82, marker='s', markersize=10, color='darkgreen')


ax.text(65, 85, "App Server", fontsize=9, ha='center')

ax.plot(65, 82, marker='s', markersize=10, color='darkorange')

ax.text(80, 85, "DB Server", fontsize=9, ha='center')

ax.plot(80, 82, marker='s', markersize=10, color='darkorange')


# Gateways

ax.text(20, 55, "Internet Gateway", fontsize=9, ha='center')

ax.plot(20, 52, marker='o', markersize=10, color='blue')


ax.text(80, 55, "NAT Gateway", fontsize=9, ha='center')

ax.plot(80, 52, marker='o', markersize=10, color='purple')


ax.text(50, 30, "Service Gateway", fontsize=9, ha='center')

ax.plot(50, 27, marker='o', markersize=10, color='gray')


# DRG, VPN, FastConnect, On-Prem

ax.text(100, 80, "DRG", fontsize=10, ha='center', weight='bold')

ax.plot(100, 77, marker='o', markersize=12, color='black')


ax.text(100, 65, "IPSec VPN", fontsize=9, ha='center')

ax.plot(100, 62, marker='D', markersize=8, color='teal')


ax.text(100, 50, "FastConnect", fontsize=9, ha='center')

ax.plot(100, 47, marker='D', markersize=8, color='gold')


ax.text(115, 70, "On-Premises\nNetwork", fontsize=9, ha='center')

ax.plot(115, 67, marker='s', markersize=12, color='brown')


# Arrows

ax.annotate("", xy=(20, 75), xytext=(20, 52), arrowprops=dict(arrowstyle="->"))

ax.annotate("", xy=(80, 75), xytext=(80, 52), arrowprops=dict(arrowstyle="->"))

ax.annotate("", xy=(65, 75), xytext=(50, 27), arrowprops=dict(arrowstyle="->"))


# DRG arrows

ax.annotate("", xy=(90, 80), xytext=(100, 77), arrowprops=dict(arrowstyle="->"))

ax.annotate("", xy=(100, 77), xytext=(100, 62), arrowprops=dict(arrowstyle="->", color='teal'))

ax.annotate("", xy=(100, 77), xytext=(100, 47), arrowprops=dict(arrowstyle="->", color='gold'))

ax.annotate("", xy=(100, 62), xytext=(115, 67), arrowprops=dict(arrowstyle="->", color='brown'))

ax.annotate("", xy=(100, 47), xytext=(115, 67), arrowprops=dict(arrowstyle="->", color='brown'))


# Save to file

plt.tight_layout()

plt.savefig("oci_vcn_architecture.png", dpi=300)

plt.show()



-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Google, Mozilla, and Apple choosing to no longer support Entrust as a publicly trusted certificate authority

Google, Mozilla, and Apple have all decided to stop trusting Entrust’s publicly issued certificates after specific cutoff dates , due to lon...